Networking

Configuring Wireless settings via Group Policy

Wireless networks can be very convenient for businesses as they eliminate reliance on Ethernet cabling. Using Active Directory and Group Policy to configure and support Wireless in the enterprise can simplify the process even further.

Wireless networking in an office environment can supplement the Ethernet network in case of an outage or, in some cases, replace it altogether. Using Wireless Access Points (WAPs) to connect remote users or desktop PCs can be a very simple way to get everything up and running quickly. And leveraging the power and centralization of Active Directory when setting up your wireless infrastructure can save time for all parties involved.

Getting started To get the ball rolling, I suggest creating a new Group Policy Object (GPO) to configure for Wireless settings. This will keep all the wireless settings contained so they can be enabled and disabled easily. Note: when performing the steps needed to configure these settings, I will be using the Group Policy Management Console (GPMC) -- available at Microsoft downloads.

Follow these steps:

  1. Open the GPMC from the Administrative Tools menu.
  2. Expand the Forest node on the left pane of the console.
  3. Expand Domains and expand your domain.
  4. Locate the Organizational Unit (OU) where you wish to link the GPO.
  5. Right-click the OU and select Create and Link a GPO Here.
Note: Once the GPO is added here, any objects that exist in this OU will have the policies defined by the linked GPOs applied to them.

Enter a name for the GPO you are creating and click OK. Doing this will create the object and link to the OU. Be sure to use a descriptive name for the GPO to make future management a bit easier. Once the object is created, there will be no settings defined within the object. Right-click the GPO and select edit to configure the settings you need.

Many, many settings for a GPO

When opening the GPO for editing, there will be many options available for configuration. To find the Wireless settings, expand the computer configuration node, then expand Windows Settings and from there, Security Settings.

Listed under Security Settings you will see Wireless Network (IEEE 802.11) Policies. Click on this node to display any existing configuration items.

Creating a new Wireless Network Policy

Right-click in the details pane on the right of the console with the Wireless Network Policies node highlighted and select Create Wireless Network Policy, as shown in Figure A.

Figure A

Click to enlarge.

This will open the Wireless Network Policy Wizard. Click Next to bypass the welcome screen. On the next screen, enter a name for the Wireless Network Policy and a description, as in Figure B.

Figure B

Click to enlarge.

Note: Using a description can help you in the event that modifications are needed later. Clicking Next in the dialog box will complete the wizard and display the Completing the Wireless Network Policy Wizard dialog box. Leave the Edit properties box checked so that you can move right into creating the settings for the policy, as shown in Figure C.

Figure C

Click to enlarge.

On the properties sheet for the Wireless network policy, the general page displays the settings created by the wizard, the name and description, but also allows you to configure the following:

  • Check for Policy Changes Every x Minutes allows you to set the interval for checking for updates.
  • Networks to Access options:
    • Any available network (access point preferred)
    • Access point (infrastructure) networks only
    • Computer to computer (ad hoc) networks only
  • Use Windows to Configure Wireless Network Settings for Clients allows Windows to manage the wireless settings on client computers.
  • Automatically Connect to Non-Preferred Networks allows you to connect to networks that are not listed on the preferred tab of the properties dialog box.
The Preferred Networks tab of the Wireless Network Policy Properties dialog (Figure D) allows configuration of the preferred networks that clients should connect to.

Click to enlarge.

To add a preferred network, complete the following steps:

  1. Click the Add button on the Preferred Networks tab.
  2. Enter the Network Name (SSID) for the preferred network.
  3. Enter a description of the network.
  4. Select the Network Authentication type for the network.

You can choose from the following network types:

  • Open: no authentication needed
  • Shared: authentication key shared automatically
  • WPA: Wi-fi Protected Access
  • WPA-PSK: Wi-Fi Protected Access - Pre Shared Key

Select the data encryption type associated with the authentication method chosen that meets the needs of your organization. For Open and Shared authentication types, you can choose not to provide the key automatically. With either WPA setting, this option is grayed out.

Select if this network is a computer-to-computer (ad hoc) network that does not use access points. If you do not need to configure other settings, click OK to close the properties dialog box. After clicking OK and allowing Group Policy to refresh in your Domain, any objects moved into the OU with this GPO linked and enabled will be configured to allow Wireless Network Policies to be used.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

38 comments
Spector
Spector

I don't have Wireless Network (IEEE 802.11) under Computer Configuration> Windows Settings> Security Settings. Is there a template or something I have to download?

Derek Schauland
Derek Schauland

Have been doing some digging about authentication as well. There are other GPO settings that assist with machine authentication. I am going to look into a post covering this topic in the future. Appears though that Wifi can use certificates, smart cards, or radius to authenticate connection, in which case the wep key is provided on the fly to the connecting client.

lrussell
lrussell

Good article. I have always wondered if there was a way to force a disconnect from the Office wireless if a wired connection became active.

panbumalai
panbumalai

Will this be suitable for unified technology as well? What if we use LWAP instead of WAP?

webbr1
webbr1

Thanks for this article it sums this all up very nicely! One question I've always had though, is that when you implement wireless GPOs is there a way to manage a user's connectivity so they are only connected to either wired or wireless...but not both? This is something we're struggling to configure where I work. One of the possible solutions since we have Symantec SEPM is to leverage Symantec SEPM's policy capabilities...however that's turned out to be overly complex and unreliable and Symantec has been less than helpful working with us on this. Any ideas on how to manage wired versus wireless connectivity?

rgronquillo
rgronquillo

This is really cool and helpful... i'll try this tomorrow at work...

merlinpr
merlinpr

As some of you may have noticed, you do not have the option of configuring WPA2 using GPO by default. However, it is possible to do so. Your XP client must have the Wireless Client Update installed to enable WPA2 but if the system is up to date (or at least has SP2) it will already have it. If you're not sure just go to the Wireless Connection properties and add a new profile. You should have WPA2 under "Network Authentication". To configure WPA2 using GPO you will need to have a computer with Windows Vista installed. You can then use the GPO Editor in Vista to create the Policy.

LievenV
LievenV

Is there any way to provide a WEP key through the GPO?

Derek Schauland
Derek Schauland

With a Group Policy configuration of wireless devices, would you be more inclined to work with wireless access to your environment?

EShanahorn
EShanahorn

I have been unable to CREATE a "Wireless" GPO from an XP desktop. The "Wireless Network (IEEE 802.11)" configuration items are not available. If I CREATE the GPO on a server OS machine, the "Wireless" items are available. Then, I am able to EDIT the GPO configuration settings from my XP desktop. This is changed significantly in Vista.

Guttersniper
Guttersniper

But when I connected to the domain controller and checked there I did have it. Are you using GPM on your own machine or on the server?

merlinpr
merlinpr

You can do this using Cisco Secure Services Client. I'm sure there are others out there but this is the one I have used.

DimHelmet
DimHelmet

Check your device drivers. I've noticed on our new Dells that there is a "disable upon wired connect" option in the wifi card properties. I updated to the latest driver on one of our older Dells and it has the option now as well.

Michael Kassner
Michael Kassner

If your users are leaving their Wi-Fi active at all times they are leaving themselves wide open for all sorts of exploits. The only time the Wi-Fi should be turned on is when the user actually wants to make a connection. This is specially critical if the Wi-Fi client is configured to accept ad hoc connections. I go to clients everyday and and see this. The users need to be trained to shut off Wi-Fi unless they are actively attached to an AP.

Derek Schauland
Derek Schauland

I would imagine this can be done by managing connections not in use... I will need to dig a little though... will get something up on it asap

ablohowi
ablohowi

Are you able to authenticate to a Domain through this setup?

Derek Schauland
Derek Schauland

Authentication is configured for each policy available via group policy. I am going to be covering this in an upcoming post soon.

ascott
ascott

For the GPO to apply the laptop would need to be a member of the domain. To join it to the domain you would have to set up the wireless network. A catch-22, or am I missing something here?

mford66215
mford66215

While I can think of LOTS of reasons for and against applying the security key through GPO, I can't think of one good reason to use WEP. So, are you asking for wep specifically, or just how to apply keys/passwords through GPO?

MytonLopez
MytonLopez

This would be great if you had these options. I would not set my wireless any other way.

zyphlar
zyphlar

I've tried many times but never gotten this right: How, exactly, do I make wireless clients (a) connect to a given network (b) using domain-computer credentials (c) authenticating to a RADIUS server (d) so that the computer is connected to the network prior to logon? I generally use 3com WAPs that support RADIUS, but never found a *complete* guide that *works*. Anyone have first-hand experience with this?

Spector
Spector

I see that now. On the server it's there but not on my own machine...

drwilkinson
drwilkinson

I prefer to use the Dell QuickSet or Connection Manager tools to enable the auto-disabling of wireless when wired is connected. If you run a fair number of Dells in your shop, you should (want to) get to know these tools. :)

drwilkinson
drwilkinson

Since your profile says you are an IT Manager I'll assume you have some exposure to the real-world of IT but my first instinct was to make a joke about your sentiment that "users should be trained." In my (many) years in IT I have repeatedly been forced to accept the reality that users don't train well. They mean well and all, but they are NOT all that interested in, or concerned with, such issues. In their mind, that really your problem. I have begrudgingly accepted I have to, whenever possible, convert 'suggestions' to enforceable, centralized, policies.

randy_scadden
randy_scadden

That is one thing we also struggle with. When you have a laptop that is hard wired as well as connected wirelessly you eat up two addresses out of your DHCP pool. So I'm curious to hear any thoughts and suggestions from the TR crowd.

ITSuper
ITSuper

If each system comes through my department as it should (HA HA), then we add it to the domain through a hardwired connection first. We can then test to make sure it is being picked up from AD using a local access point.

mhulme
mhulme

Yes would be the answer to this, however in my case I use ghost solution suite to image all machines. These are plugged into the network as this is faster. Therefore, when they finish imaging and join the domain they pull down all group policies via cable first. In my case this makes my life so much easier as they get their wireless settings and I dont have to configure 30 laptops at a time.

LievenV
LievenV

No catch, our primary connectivy is wired, so the users will get the GPO through wire first.

domster83
domster83

I imagine this is more geared towards using wifi in the office environment. In our company, we deploy WIM images from USB which have a script built into them which joins the PC to the domain, rather than doing so manually. So all PC's are build off a wired ethernet connection. I do wish my company implemented Wifi in conference and training areas. The current solution of using a 24-port switch is far from ideal!

LievenV
LievenV

We are using an early generation of Symbol access points which have a very good coverage, but alas no WPA support. Also are our scanning terminals not WPA compatible. So yes, I am asking for WEP specifically.

khettinger
khettinger

I think the question is how to apply a key through GPO. The Key is needed to connect to my wireless network but I don't see where I can enter that information in a GPO

Michael Kassner
Michael Kassner

As for me, I've been around the block, actually dragged. Been in IT for over 30 years and I'm still optimistic about training users. I have an intense faith in ALL users and their ability to change if presented with evidence that is understandable and to their benefit. Which I why I consider myself fortunate to be a host and writer for TechRepublic. It allows me to help inform users and IT professionals so they don't make the same mistakes I've made. Saying that I would like to offer some evidence as to the importance of shutting the Wi-Fi NIC off when it's not used. I'd love you to check out my article about this: http://blogs.techrepublic.com.com/wireless/?p=210 My article isn't that important it's the link at the end that describes the attack vector. I've been fortunate to learn that users actually do use ad hoc connections, hence my point of shutting off the Wi-Fi NIC if it's not in use.

sobrien
sobrien

We had the same problem until I discovered that on the Dell laptops with Broadcom wireless NICs we have there is a driver setting called "Disable Upon Wired Connect". You can find it under the Advanced tab of the wireless card properties.

domster83
domster83

Depending on your hardware, you may have such software. We use IBM's with the Access Connections software installed. With that you can configure a network location specific to the wired/wireless NIC and also customize printers, and proxy settings.

larry.sigfusson
larry.sigfusson

You may be able to set up a hardware profile so that the user would have to select LAN or Wireless on bootup and have only the appropriate network hardware enabled for each profile. This is a bit cumbersome if you want to switch quickly though. I would be interested in hearing other ideas using policy as well.

Michael Kassner
Michael Kassner

I have all sorts of clients that are in the same predicament. You are still in better shape than many companies that aren't even using any encryption.

Editor's Picks